'\" t
.\"     Title: traffic_learner
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\"      Date: 03/09/2023
.\"    Manual: User Commands
.\"    Source: Samba 4.17.6
.\"  Language: English
.\"
.TH "TRAFFIC_LEARNER" "7" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
traffic_learner \- Samba tool to assist with traffic generation\&.
.SH "SYNOPSIS"
.HP \w'\ 'u
traffic_learner {\-o\ OUTPUT_FILE\ \&.\&.\&.} [\-h] [\-\-dns\-mode\ {inline|count}] [SUMMARY_FILE] [SUMMARY_FILE\ \&.\&.\&.]
.SH "DESCRIPTION"
.PP
This tool is part of the
\fBsamba\fR(7)
suite\&.
.PP
This tool assists with generation of Samba traffic\&. It takes a traffic\-summary file (produced by
traffic_summary\&.pl) as input and produces a traffic\-model file that can be used by
traffic_replay
for traffic generation\&.
.PP
The model file summarizes the types of traffic (\*(Aqconversations\*(Aq between a host and a Samba DC) that occur on a network\&. The model file describes the traffic in a way that allows it to be scaled so that either more (or fewer) packets get sent, and the packets can be sent at a faster (or slower) rate than that seen in the network\&.
.SH "OPTIONS"
.PP
\-h|\-\-help
.RS 4
Print a summary of command line options\&.
.RE
.PP
SUMMARY_FILE
.RS 4
File containing a network traffic\-summary\&. The traffic\-summary file should be generated by
traffic_summary\&.pl
from a packet capture of actual network traffic\&. More than one file can be specified, in which case the traffic will be combined into a single traffic\-model\&. If no SUMMARY_FILE is specified, this tool will read the traffic\-summary from STDIN, i\&.e\&. you can pipe the output from traffic_summary\&.pl directly to this tool\&.
.RE
.PP
\-o|\-\-out OUTPUT_FILE
.RS 4
The traffic\-model that is produced will be written to this file\&. The OUTPUT_FILE can then be passed to
traffic_replay
to generate (and manipulate) Samba network traffic\&.
.RE
.PP
\-\-dns\-mode [inline|count]
.RS 4
How DNS traffic should be handled by the model\&.
.RE
.SH "EXAMPLES"
.PP
To take a traffic\-summary file and produce a traffic\-model file, use:
.PP
traffic_learner traffic\-summary\&.txt \-o traffic\-model\&.txt
.PP
To generate a traffic\-model from a packet capture, you can pipe the traffic summary to STDIN using:
.PP
tshark \-r capture\&.pcapng \-T pdml | traffic_summary\&.pl | traffic_learner \-o traffic\-model\&.txt
.SH "OUTPUT FILE FORMAT"
.PP
The output model file describes a Markov model estimating the probability of a packet occurring given the last two packets\&.
.PP
The count of each continuation after a pair of successive packets is stored, and the ratios of these counts is used to calculate probabilities for the next packet\&.
.PP
The model is stored in JSON format, and also contains information about the packet rate and DNS traffic rate\&.
.SS "Example ngram listing"
.PP
The following listing shows a contrived example of a single ngram entry\&.
.sp
.if n \{\
.RS 4
.\}
.nf
          "ngrams": {
             "ldap:0\etdcerpc:11": {
                 "lsarpc:77": 1,
                 "ldap:2": 370,
                 "ldap:3": 62,
                 "wait:3": 2,
                 "\-": 1
             }, [\&.\&.\&.]
          }
        
.fi
.if n \{\
.RE
.\}
.PP
This counts the observed continuations after an ldap packet with opcode 0 (a bind) followed by a dcerpc packet with opcode 11 (also a bind)\&. The most common next packet is "ldap:2" which is an unbind, so this is the most likely packet type to be selected in replay\&. At the other extreme, lsarpc opcode 77 (lookup names) has been seen only once, and it is unlikely but possible that this will be selected in replay\&.
.PP
There are two special packet types here\&. "wait:3" refers to a temporary pause in the conversation, where the "3" pseudo\-opcode indicates the length of the wait on an exponential scale\&. That is, a "wait:4" pause would be about 2\&.7 times longer that a "wait:3", which in turn would be similarly longer than a "wait:2"\&.
.PP
The other special packet is "\-", which represents the limit of the conversation\&. In the example, this indicates that one observed conversation ended after this particular ngram\&. This special opcode is also used at the beginning of conversations, which are indicated by the ngram "\-\et\-"\&.
.SH "VERSION"
.PP
This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBtraffic_replay\fR(7)\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
.PP
The traffic_learner tool was developed by the Samba team at Catalyst IT Ltd\&.
.PP
The traffic_learner manpage was written by Tim Beale\&.
